10 gb routing hardware

I currently have a protectli FW4 router running pfsense with 1gb Internet. My ISP now offers 2gb, which I would like to upgrade to. I’ve always been a fan of installing my router software on bare metal to separate it from the rest of my equipment.
With that being said, if I were to build a new router that supports 2.5g coming in, and my 10g lan, it seems that I might be leaving some compute on the table if I just used it for routing.
I’m looking for some opinions to help me choose the best path.

  1. build the router on bare metal, your not leaving anything on the table.
  2. virtualize it along with any external services.
  3. virtualize it, use this as an opportunity to build a new beast hypervisor to replace your old stuff.
  4. something else?
    I’m in no hurry to do this, but want to make the best choice and future proof it a bit.
    Anyone have any thoughts?

I always prefer having it based on real hardware as it’s easier to troubleshoot issues and if I am doing hypervisor maintenance I don’t have to worry about my internet now working.

1 Like

#1, as Tom already said !

…or #4: Virtualize it, but on a dedicated device with very few additional VMs that if at all only run network-related stuff, Then you get most of the benefits of virtualization, like easy cloning of VMs, backups of the entire VMs, and all that nice stuff, without putting all your eggs in one basket.

…or maybe #2, but definitely not #3. :wink:

Virtualize it, but on a dedicated device with very few additional VMs that if at all only run network-related stuff, Then you get most of the benefits of virtualization, like easy cloning of VMs, backups of the entire VMs, and all that nice stuff

I thought about doing that when I upgraded my pfsense hardware recently, but I found that if you install pfsense plus on the ZFS file system (instead of the legacy UFS) you get most of this in the “boot environments” feature. Its a different story if you are running CE edition. Just an FYI…

Go the virtualization route, or at least give it one or two hours of testing. Once you get past the initial troubleshooting phase (if any) there is nothing but upside.

I do not run pfsense and have not virtualized my router per se, but I do run a number of services on my router hardware in a vm/container environment (no vm’s now). Have done this at small production environment (3 sites) in the past. It works great. A few caveats; my host os is bare bones and I had a second box that was identical (last generation typically) and underutilized. I could roll over to that one in-case of catastrophic hardware failure.

If you do the host OS right, you could just lock it down to physical access and just let it run for two years. Not the greatest idea if you are extremely concerned about security, but no more risky than option 1.

Doing this completely removes the risk of updating the host os but you could also just run it bare bones and snapshot root. Again, the later is what I do but I wouldn’t scoff at the set it and forget it idea if done right.

I’ve seen NIC cards with dual 1gbps and dual 10gbps but haven’t seen any with dual 2.5gbps yet. Might have been because I was only looking for i350 based cards (i350/X540).

Virtualizing your router along with other external services could be a viable option if you have spare resources on your existing hypervisor and want to consolidate your infrastructure. However, given the demands of routing a 2.5G connection and managing a 10G LAN, ensure that your hypervisor has sufficient resources to handle the workload effectively without impacting performance.

Do you really need 10GB lan port on the router, surely a 2.5GB will do.

Any devices on the lan 10GB will route traffic directly and not via the firewall.

I think if I stay with pfsense I’ll just stick with dedicated hardware.
I know a lot of folks do not say a lot of good things about the unifi UDM, but I’m also curious how that might work out?
I currently use 3 ubiquiti APs, and am curious as to the benefits of using their router. Currently I’m using pfsense with ddns, haproxy, pfblocker, DHCP, dns. Is it worth it to migrate to unifi routing? The UI looks pretty and new/shiny, but after it’s set up and stable, do you guys use it much?

I do not, but there are certainly people on r/unifi who spend all their money on Unifi gear and then spend all their free time playing with the shiny interface of the Unifi controller :wink:

…and yes, a single pane of glass is certainly nice, but at the end of day you have to ask yourself, does it have all the features you need?

For example, the Unifi routers do not offer HA proxy (or any other reverse proxy). So is the shiny interface worth the effort of hosting a separate reverse proxy? A question only you can answer.

Also, the features that are available in Unifi routers often lack the advanced configuration options available in pfSense, and/or are integrated in a weird Unifi-specific way that I don’t think is always easier to understand, especially if you’re already used to other networking gear. Aesthetics are not everything :wink:

And last but not least. You already have a pfSense box and it works and does what you want, so why spend money and change something just for the sake of it? :wink:

Yes, I do believe the two of us are on the same page.
I already have pfsense configured, it does everything I need, and is super stable. I should not let new/shiny lure me in, and cause all kinds of unneeded stress to get this new platform working.
Thank you, I appreciate you taking the time to chime in.

The UDM Pro was part of my progression and I used it for just under one year. I switched to PFSense as I wanted to progress further and they did not have a VPN Server solution at that time. I have no complaints as to the UDM Pro and think that it is a good device and served me well.